Skip to content

ci(vscode): publish the extension to the Marketplace on difit releases#424

Open
yoshiko-pg wants to merge 3 commits into
mainfrom
claude/vscode-release-automation
Open

ci(vscode): publish the extension to the Marketplace on difit releases#424
yoshiko-pg wants to merge 3 commits into
mainfrom
claude/vscode-release-automation

Conversation

@yoshiko-pg

@yoshiko-pg yoshiko-pg commented Jul 4, 2026

Copy link
Copy Markdown
Owner

What

Adds .github/workflows/publish-vscode.yml, triggered when a GitHub release is published (the same trigger as the npm publish workflow) plus workflow_dispatch for manual runs:

  1. Version sync — rewrites packages/vscode/package.json version to the released difit version, so the extension version always matches the CLI it bundles. The in-repo 0.1.0 stays as a placeholder.
  2. Build & package — reuses the existing pnpm run package:vscode script (root build → esbuild bundles → watcher prebuilds → vsce package).
  3. Publish (no PAT) — uses secure automated publishing to Visual Studio Marketplace: the job's release environment exchanges a GitHub OIDC token for a Microsoft Entra ID credential via azure/login (workload identity federation), then runs vsce publish --azure-credential. No long-lived Marketplace PAT is stored — relevant because Azure DevOps global PATs retire on 2026-12-01. Also publishes to Open VSX when an OVSX_PAT secret exists (Open VSX has no OIDC flow; step is skipped otherwise).
  4. Release asset — attaches the .vsix to the GitHub release for manual installs.

Also removes the manual vscode-release Codex skill, superseded by this workflow.

One-time setup required before this works

  1. In Azure, create a user-assigned managed identity (or an Entra app registration) and add a federated credential for GitHub Actions with subject repo:yoshiko-pg/difit:environment:release (issuer https://token.actions.githubusercontent.com).
  2. In Marketplace publisher management, add that identity as a member of the yoshiko-pg publisher.
  3. Add repository secrets: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID (identifiers of the identity above).

The release environment is created automatically on the first run; optionally add protection rules to it.

Notes

  • The workflow can be tested without a release via Run workflow (workflow_dispatch); it publishes the current main as-is, so run it once after the Azure setup to do the initial Marketplace publish.
  • Marketplace rejects re-publishing an existing version, so re-running the workflow for the same release fails cleanly rather than double-publishing.

🤖 Generated with Claude Code

yoshiko-pg and others added 3 commits July 4, 2026 09:39
Add a publish-vscode workflow that runs when a GitHub release is
published (same trigger as the npm publish workflow):

- Rewrites the extension version to the released difit version, so the
  bundled extension always tracks the CLI release
- Builds and packages the VSIX via the existing package:vscode script
- Publishes to the VS Code Marketplace with the VSCE_PAT secret, and to
  Open VSX when an OVSX_PAT secret is configured
- Attaches the .vsix to the GitHub release for manual installs

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Switch the Marketplace publish step to the officially recommended
secure automated publishing flow: the workflow's release environment
exchanges a GitHub OIDC token for a Microsoft Entra ID credential via
azure/login (workload identity federation), and vsce publishes with
--azure-credential. Azure DevOps global PATs retire on 2026-12-01, so
no long-lived publishing secret is stored.

Also remove the manual vscode-release Codex skill, which is superseded
by the automated workflow.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Marketplace already has the extension published as yoshiko-pg.difit;
keeping the package name difit-vscode would create a separate listing
instead of updating it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant